Security & Vulnerability Disclosure
Last updated: 28 June 2026
We take the security of Reticle and your data seriously. This page explains how to report a vulnerability and what you can expect from us.
1. Reporting a vulnerability
If you believe you've found a security vulnerability in Reticle, please email security@thereticleapp.com. Include enough detail to reproduce the issue (affected URL or endpoint, steps, and impact). We'll acknowledge your report, keep you updated on our progress, and let you know when it's resolved.
2. Please do
- Report what you find privately to security@thereticleapp.com and give us reasonable time to fix it before any public disclosure.
- Only test against your own account, workspace, and data.
- Stop and report immediately if you encounter another customer's data.
3. Please don't
- Access, modify, or delete data that isn't yours.
- Run denial-of-service, spam, or high-volume automated attacks against the Service.
- Use social engineering, phishing, or physical attacks against our team or infrastructure.
- Publicly disclose a vulnerability before we've had a chance to address it.
4. Safe harbor
We won't pursue or support legal action against researchers who act in good faith, follow this policy, and avoid privacy violations, data destruction, and service disruption. If you're unsure whether something is allowed, ask us first.
5. How we protect your data
Connected credentials (your AI provider key and Git tokens) are encrypted at rest and never shown again after you save them. Access to connected repositories is scoped to the permissions you grant, and workspaces are isolated from one another. Traffic is encrypted in transit.
- We don't host an AI model and we don't train on your code or feedback — edits run through your own provider key.
- You review every change; the agent commits only to the branch you connect, with guardrails that block edits to CI, secrets, and infrastructure.
- No method of transmission or storage is completely secure, so we can't guarantee absolute security.
6. Machine-readable policy
This policy is also published at /.well-known/security.txt (RFC 9116).
Questions about this document? Reach us via the
contact form.